Breach Background

You are a cybersecurity analyst working for a company named “SecureTech”. As part of your job, you are responsible for monitoring the company’s systems for any signs of intrusion.

One day, you were alerted to a potential breach when the company’s security system detected unusual activity coming from the office wifi network. The honeypot has detected scanning from a device in the office IP range. Investigate the unusual network traffic.

Initial Compromise: Bring Your Own (Exploited) Device

An employee brought in their personal device to the office, which was already infected with malware. The attackers used the infected device to gain access to the company’s internal network and steal sensitive information.

Pivot and Escalate: New Service Creation/Modification

Once the attackers had access to the network, they moved laterally to other systems on the internal network. After pivoting to other devices, the attackers escalated their privileges by creating a new service on the infected device and modifying it to gain access to more sensitive parts of the company’s systems. This allowed them to carry out the rest of their attack undetected.

Persistence: Logon Scripts

To maintain a persistent presence on the company’s systems, the attackers used logon scripts that were executed every time an employee logged into their computer. This allowed the attackers to remain hidden within the network and steal sensitive information over a long period of time.

C2 and Exfil: Domain Fronting as C2

The attackers used Domain Fronting to hide the use of their Command and Control (C2) server and exfiltrate the stolen data from SecureTech’s systems. When reviewing the firewall logs you notice requests going to a well-known safe website at a Cloudflare IP. The requests stand out because they have mismatched “HOST” and “SNI” parameters in the HTTP headers. This technique allowed the attackers to disguise their communications and evade detection from the security team.

Domain Fronting Reference Link